Oblivian: Let us introduce you to sender spoofing...

Look at the email raw data. Not what the client says.
You can put a from address of anything you please if there is not full checking.

That's clearly the flavour of the month to get people calling the call centres now that the baiters make more people aware. Got 5 in my gmail trapped spam yesterday

My "client" is a person not an email client.

EDIT: I screenshoted the wrong email before. Fixed

This is from xtra webmail. Still sent from xtramail although "mcafee" may be an alias.

I should add I have full authority on the above account so I'm looking at the emails first hand. :)

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 

mattwnz:

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 

mattwnz:

 

The IP 10.23.30.21 doesn't seem to be an xtra one. It seems to be an internal one. 

 

The phishing email came from a Spark xtramail address and I'm not concerned about the phishing attempt I'm concerned that the senders xtramail email account may be hacked.

This wouldn't be the first time I've come across this either.

Five years ago I discovered  another client's xtramail account was being used to used to send phishing emails. At that time Spark were still with Yahoo so most likely his login details were sold by Russian hackers.

The client I first mentioned doesn't even know about this. I noticed the email while transferring the account over to gmail.

OK so looking closely it appears the original sender wasn't xtramail - how did it get forwarded from xtramail account in the second shot?

I still think the xtra account has been compromised.

Original

Sent to below

Full path below.

So it would seem scammers are using the xtramail account (colinaa.sarahw) to forward phishing emails thereby bypassing spam filters?

Colinaa.sarahw is not on Yvonne's (my client) contact list.

Sent a test

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

>>> colinaa.sarahw@xtra.co.nz (after RCPT TO): 550 5.1.1 User unknown

Thanks guys for responses. Seems I'm always learning something new here. :)

I gather the only sure way to determine the sender is the first IP at the bottom of header?  Of the 4 hops in what are the 2 local address? Internal mail servers? Why are there two?

The correct answer was already in the first reply. Spoofing is very easy and by itself doesn't indicate a compromised account.

This message originate externally, and spoofed not only the From header but even the message-ID and other headers to make it appear to have originated from the Xtramail platform.

This is a problem that will go once Spark activate their SPF Hard Fail and DMARC, as that will cause spoofed messages to be dropped at the border.